Shutdown: Clear virtual memory pagefile

bbf7d8e7-9ffe-4643-8910-55c5a6f9f824

Important information that is kept in real memory might be written periodically to the paging file. This helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This is a time-consuming process, but it can expose data that is cached from RAM to the paging file.

IMPORTANT NOTE: Clearing the page file will secure delete information on the temporary page file. This process takes time depending on page file size and drive speed. On a very large memory server with slow disk access, could take 20 to 30 minutes. This only affects a planned server shutdown, it won't process on a "not planned" shutdown or emergency shutdown.

Remediation

Run gpedit.msc (or run Group Policy Editor from your Domain Controller and add or edit a Group Policy)
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options on the left panel
In the right panel, find and double-click on the Shutdown: Clear virtual memory page file policy
In the policy settings window, select the Enabled radio option, and then click on the OK button to save the changes
If you set the policy from a Domain Controller, you can run gpupdate from a command prompt on a workstation/server to pull the updated policy
Restart your computer for the changes to take effect

More Info: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile

Shutdown: Clear virtual memory pagefile

Remediation

Tags